NEWS FROM THE LAB - January 2014


Friday, January 31, 2014

The End Of Privacy Posted by Sean @ 17:05 GMT

Mikko is featured this week's edition of NPR's TED Radio Hour: The End Of Privacy.

TED Radio Hour, The End of Privacy

I've been looking forward to this particular episode ever since Mikko mentioned a few weeks ago he had an interview scheduled with TRH host, Guy Raz. Besides Mikko, the lineup includes: Hasan Elahi, Beth Noveck, John Wilbanks, and Alessandro Acquisti.

It's a great weekend listen — be sure to check it out.

Post by — Sean


Thursday, January 30, 2014

2004-01-30: Weblog for Mydoom Incident Started Posted by Sean @ 13:06 GMT

Monday, the 26th of January, 2004: Mydoom started spreading.

And on Friday, the 30th of January, 2004: the universe's first antivirus blog was born!

Weblog for Mydoom Incident Started

Then Sunday…

It's Sunday

Continuing to this very day!

Thank you, loyal readers.

To quote Mikko: "I've never had an uninteresting day at work." And the mission of this blog? To share some of the fun.

Code Warriors:

FSHQ's lobby.

Lab coats:


Alexey, Jusu, Jarno, and Jarkko:


Helsinki + Kuala Lumpur:

Everybody together.

Ero in action:

Ero in action.

Mika the virenjager:


Antti's phish story:



Not really bagels, just bagel shaped bread.

Testing laptop locks:

Putting a Kensington lock to the test.

Most people don't even know what a rootkit is…

Most people, I think, don't even know what a Rootkit is, so why should they care about it?

Happy Anniversary, News from the Lab!


P.S. More than 2,600 entires are available in our monthly archives.

Tuesday, January 28, 2014

It looks like you're trying to redact a document... Posted by Sean @ 10:18 GMT

The New York Times, ProPublica, and The Guardian have just published articles with details on how the NSA and GCHQ use "leaky" mobile phone apps to track targets. Unfortunately, one of the source documents published by The New York Times wasn't properly redacted. And the end result is that an NSA employee's name has been disclosed (and well as information about an NSA target).

It looks like you're trying to redact a document.

Information wants to be free it seems…

More details on the SNAFU from: The Daily Banter.


Wednesday, January 22, 2014

City of Franca Website Compromised Posted by Timo @ 22:27 GMT

While analyzing the URLs of malicious redirectors our product had detected, a Flash object hosted on domain caught my eye. Since my Portuguese is a little rusty, I turned to a colleague in our office in Brazil, and she confirmed that the domain belongs to the city of Franca in Sγo Paulo, Brazil.

One of the JavaScript files on the website has been appended with malicious code that loads the Flash redirector. Here is a snippet of the Fiddler session:

Screenshot of Fiddler session

The request highlighted in yellow loads the malicious Flash object which injects an iframe that redirects the browser to another domain (blurred in the screenshot).

It seems that the website was compromised by exploiting the outdated version 1.5 of open-source content management system Joomla. Most likely this is not the only website running the unpatched version: Senior Security Researcher Fabio Assolini pointed out in his tweet that incidents on domain are very common.

We have contacted the Computer Security and Incident Response Team - CTIR Gov about the incident.

F-Secure detects the malicious Flash object (SHA1:b0c68dbd6f173abf6c141b45dc8c01d42f492a20) as Trojan:SWF/Redirector.EQ. In addition, our Browsing Protection component blocks access to the compromised URLs until the website has been cleaned.

Post by — @Timo


Tuesday, January 21, 2014

Policeware — good or bad? Posted by Micke @ 17:09 GMT

The malware scene is changing constantly, and one of the remarkable changes is that today the bad guys might be the good guys. That is, the guys who were supposed to be good. To express it slightly less confusing, authorities have become one of the major malware players and US agencies are already the world's largest buyers of exploits.

This makes an old ethical question for us malware fighters more important than ever. How to deal with policeware? Should this kind of malware be detected or not? F-Secure's stance has been clear. Yes, we do detect any kind of malware. And no, we do not keep any whitelists for authorities' policeware. We have not received any requests to whitelist policeware, and we would refuse to do so if requested.

This might raise mixed feelings as there no doubt are cases where the police work for our common good. There are dangerous criminals that should be behind bars, so why not use any available weapon against them? Aren't we protecting them by refusing to whitelist policeware? Let's take a closer look at the problem and we'll see why there really is no alternative to our current policy.

Why is it a bad idea for an anti-malware vendor to whitelist policeware?

  •  Authorities' powers are always restricted to a defined geography, but our anti-malware technology is used globally. There is no reliable way for the scanner engine to verify that the policeware is used within its author's jurisdiction.

  •  Legit warrants always define the suspect. But our anti-malware technology is generic for all customers and can't verify that the policeware is used against the right target.

  •  When encountering a whitelisted file, our scanner can't verify who is controlling it and who it reports back to. Whitelisting would be irresponsible as real malware could sneak through that way.

  •  We have an obligation to protect our customers from malware as well as we can. That's what we promise when selling the product. We could naturally make an exception in cases where there is a valid warrant against the user. But as stated above, it is impossible to verify that condition.

  •  Laws are different in every country. The policeware might be legal in one country but illegal in another. This is complex and unfeasible for us to investigate.

  •  Which countries' authorities should we serve? We might trust our own country's police, but what about Spain, Brazil, Canada, Israel, Egypt, China, North Korea or USA? Just to mention some randomly picked countries. Should we serve them too? How can we verify that they have legit motives for using spying tools?

  •  If policeware is misused without an appropriate warrant or otherwise against the law, we have a moral obligation to inform the victim. Otherwise we take part in the crime.

So the problem is really that valid warrants target a well-defined individual or group, but a whitelisting of policeware would be targeting our whole user-base globally. That makes the downside of whitelisting magnitudes larger than the upside.

But that's not all. Here's why it is an even worse idea for agencies to ask for whitelisting.

  •  Whitelisting requires us to know what to whitelist. The policeware must have a unique and reliable identification mechanism. A core goal for malware is to be as hard as possible to detect, and such an identifier will make the policeware easier to detect and less effective. It could be used for both white- and blacklisting.

  •  Whitelisting forces agencies to reveal details about their policeware programs to outsiders, which increase the risk for leaks. They also need to reveal the mere existence of the program. Keep in mind that they would need to talk to many anti-malware vendors to get effective whitelisting, not just to us.

  •  The reliable identifier needed to whitelist policeware ties it to the agency. It gives the suspects a way to know that they are being watched by the authorities. A malware infection that is detected could otherwise blend in with the overall malware threat and not necessary alert the suspects.

  •  As recent news coverage reveal, a significant part of the policeware seems to be outright illegal or at least on shaky ground. This makes it even less sensible for the agencies to talk to outsiders about it.

The best strategy for agencies is to play the same game as the bad boys. To change the policeware constantly and try to fly under the anti-malware products' radar. When their program gets caught, they change it and try again, and the target may think it was an ordinary malware attack. Law enforcement agencies have plenty of resources and are well able to play this game successfully. And many criminals are probably not that tech savvy. Even big organized gangs might operate without properly protected computers. Reality is not like in the movies where the villain is both a global drug dealer and a super-hacker at the same time. Many criminals are soft targets even without whitelisting policeware.

Our policy to never whitelist is old already, but today it's more important than ever. The police used to be trustworthy in the good old days. Warrants and targeted actions against suspects have been seen as a legit part of crime-fighting. It's sad to see how this traditional police work blends into secret mass surveillance with totally different motives. It's not only sad, it's scary as this is creating a chasm between citizens and the authorities.

With this in mind, it is easy to see why a strict policy against whitelisting really is the only alternative. It has always been an easy choice, now it is a no-brainer.

Post by — Micke


Friday, January 17, 2014

Was "Metadata" leaked in the Target breach? Posted by Sean @ 13:43 GMT

The Target data breach has been big news ever since Brian Krebs broke the story several weeks ago.

And our analysts have been investigating the related malware samples, all very interesting, but one thing I'd like to know is this: if Target knows you're pregnant… do the hackers now know, too?

Back in February of 2012, the New York Times published an article by Charles Duhigg based on his book, The Power of Habit. And one of the more interesting things revealed in the article, was that Target very actively analyzes customer behavior patterns.

life events.

pregnancy prediction score

In other words: Target generates lots of metadata and customer analytics.

According to Bloomberg, Target has said the theft of customer data may have affected anyone who provided it basic information over the past several years. Provided?

As in data that was filled out on an application for credit — or does "provided" include data that was learned based on shopping patterns? The breach of 70 million records which included name and home address hints at a back end compromise that is far deeper than point of sale malware.

We've all learned the value of metadata in the last half-year.

Forget about the breached credit card numbers. Target's analytics would be an identity theft goldmine.

Post by — @Sean


Wednesday, January 15, 2014

Compromised Sites Pull Fake Flash Player From SkyDrive Posted by SecResponse @ 19:40 GMT

On most days, our WorldMap shows more of the same thing. Today is an exception.

1_wmap (106k image)

One infection is topping so high in the charts that it pretty much captured our attention.

Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.

2_spike (9k image)

So we dug deeper… it wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:

4_script (12k image)

Or a bit longer to include the use of cookies, such as this:

3_code (132k image)

Successful redirection leads to a fake flash download site that look similar to these pages:

5_flash1 (64k image)

6_flash2 (32k image)

6_main_page_after_clicking_download (40k image)

The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.

When the malicious flashplayer.exe is executed, this message is displayed to the user.

7_dialog (1k image)

While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.

8_skydrive (21k image)

Initial analysis showed that the sample is connecting to these locations.

9_post (59k image)

SHA1 Hashes:


Post by — Karmina and Christine


Fake Minecraft Android App Using Smalihook Posted by SecResponse @ 11:13 GMT

While we were analyzing the fake Minecraft app the other day, we noticed that it was using a hacking tool called Smalihook, so we took a look at it.

The tool is for hooking Java functions and it works just like any other hooking library. After the hooked function triggers, it can return anything to the caller. In this case, the following functions were hooked:

  •  getInstallerPackageName(String packageName)
  •  getPackageInfo(String packageName, int flags)

The function getInstallerPackageName does the following:

  •  Retrieve the package name of the application that installed a package. This identifies which market the package came from.

When this hook triggers, it returns the value "", even though the app wasn't downloaded from the Google Play Store; it just wants to look like it came from there.

The function getPackageInfo does the following:

  •  Retrieve overall information about an application package that is installed on the system.

smalihook (6k image)

The hook monitors if the second parameter is using constant 0x00000040 (64) GET_SIGNATURES, then will return the original Mojang certificate from inside the dex file (the trojanized app itself is signed with a debug certificate). This is done because the legitimate app it was based on includes an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate. Mojang developers apparently didn't want their application to be spread in packages signed using a developer cert, especially since their app is not free.

Smalihook seems to be part of the AntiLVL (Android License Verification Library Subversion) cracking tool. The purpose of these tools is to break license protection systems and they are aimed at developers who wants to test their own protections against common types of attacks.

The tool is publicly available and can be downloaded from the link below:


Smalihook is also available in the same page:


The author of smalihook seems to use the tag "lohan"; the author's contact information is also available on the same page.

Incidentally, the site included this notice:

androidcracking (7k image)

"For educational purposes only" …oh, wait…


Post by — Marko


Tuesday, January 14, 2014

Android: "Fake" Minecraft App Posted by Sean @ 15:56 GMT

Every other Monday, our Threat Research team contributes to PC Magazine's Mobile Threat Monday. And yesterday's post is about a fake (hijacked) Minecraft app.

PC Magazine, Mobile Threat Monday: Fake Minecraft Scams Android Gamers

Max Eddy:

"F-Secure told SecurityWatch that the phony Minecraft PE is currently available on several Russian app stores. This isn't surprising as not all third party stores vet their apps as thoroughly as Google, making some of them havens for malicious applications.

Careful readers will probably remember that cloned versions of popular apps are nothing new; in fact, it's a common tactic to trick victims into downloading and installing malicious applications. These fake apps are generally free, to further entice victims, but this ersatz Minecraft PE bucks the trend by charging 2.50 Euros for the app—the real app costs 5.49 Euros."


The real game is included but includes this: android.permission.SEND_SMS, and the payment system has been "enhanced".

Check out PC Magazine for the full story: Mobile Threat Monday: Fake Minecraft Scams Android Gamers.

Updated to add: two additional screenshots related to this app.

Once installed, it includes the option to activate via SMS:


And here are the instructions:

activation instructions


Monday, January 13, 2014

NSA: We Are Heavily Biased Toward Defense Posted by Sean @ 16:34 GMT

On January 7th, Wired magazine published an article by Steven Levy titled: How the NSA Almost Killed the Internet.

It's definitely worth a read.

But among other things there's this bit from Rick Ledgett, a deputy director who heads the NSA’s Media Leaks Task Force:

"We are heavily biased toward defense," Ledgett adds, citing one case in which the NSA discovered a serious vulnerability in one company's software that could have impacted users all over the world. "We talked about it for a few days internally and decided it was so critical to the entirety of the US government and most of America that we disclosed [the vulnerability to that company]. We could have made hay on that forever on a huge range of targets."

Rick Ledgett

Wow. The NSA responsibly disclosed *a* serious vulnerability. Well… kudos to the NSA!

That one anecdotal story of disclosure almost (but not even quite) makes up for the numerous zero-day exploits, drivers signed with stolen (JMicron and Realtek) certificates, MD5 hash collisions, and the CPLINK vulnerability unleashed upon the world via Stuxnet, Duqu, and Flame.

We are heavily biased toward defense?

Please. That just doesn't pass the straight face test.


Thursday, January 9, 2014

Spam Overdose Yields Fareit, Zeus and Cryptolocker Posted by Karmina @ 13:15 GMT

Somebody has been busy these past two days... We have seen a massive spam surge with the same subjects and attachments in our spam traps.

emails (40k image)

emailstats (28k image)

The attachments usually have the following filenames.

attachname (11k image)

The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.

For the two samples coming from these spam, we've seen them connecting to these to send information:

In addition to stealing data, these samples download other malware including Zeus P2P from:
• ip-97-*.net/zA6.exe
• 119*4/fF3krry.exe
• rot*.com/124Tzh.exe
• ww*
• dev*.com/1mHifVu.exe
• surfa*.com/DJm.exe
• kl*.com/Q4EzT.exe

Other malware seen installed in the system was Cryptolocker.

btc (182k image)

Apparently, spam overdose results in malware overdose.

Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.


Polar Vortex Special: iPhone 5s in a Freezer Posted by Sean @ 12:46 GMT

Folks in the USA are experiencing some very cold weather this week — and so there are many media stories referencing "sub-zero" weather and the "polar vortex". And of smartphones failing in the cold…

NPR: Forget Tweeting The Polar Vortex. Phones Fail In Subzero Temps
Source: NPR

Being no strangers to cold in Finland — we recently replicated our 2007 iPhone in a freezer experiment.

YouTube: iPhone 5s in a Freezer

Don't have an iPhone?

Check out Ossi Jaaskelainen's article: Sub-Zero Weather: Can Your Smartphone Stand The Cold?


Tuesday, January 7, 2014

'Tis the Season of the Canada Goose Posted by SecResponse @ 17:01 GMT

Scammers are getting creative. Since online pharmacies, fake watches and selling generic goods are becoming commonplace, they are now switching to peddling seasonal products. Starting around last September, registrations of websites selling suspicious Canada Goose jackets have begun sprouting like mushrooms. People living near the poles have a love affair with this brand. They are one of the manufacturers of down jackets that make someone's winter experience a little warmer. As such, they have a loyal following. Apparently, the scammers are now aware of this.

Recently, advertisements for these sites have appeared in Facebook for users in Finland. This is pretty sad because considering the prices for Canada Goose jackets here in Finland, this can really cause someone's eyes to pop.

fb3-blur (94k image)

fb-mobile (232k image)

Upon clicking the ads, one ends up in a normal-looking shopping site. Complete with all the online shopping bells and whistles.

canada_goose (332k image)

The ads have some mixed comments, from people saying that this is too good to be true, to those who almost bought them.

Now why do we think this site smells foul?
- Website has only 1 year validity
- Registrant is not local to the country/continent it's selling to (currently registered in China)
- Website is selling goods at 50-70% discount (Have you ever seen Canada Goose at these prices?)
- Website has no encryption when user is filling in personal information
- The store/site is not an official Canada Goose retailer according to Canada Goose's online retailer search tool:

arctic_parka3 (21k image)

Oakley was also victimized by this scamming method last year and they took strong measures by seizing sites down and giving visitors some information on it:

oakley_legal2 (188k image)

Kudos to Oakley for being so vigilant against this!

Although these reputable brands are taking strong measures to take down these fake sites, it's possible that a potential buyer may stumble unto them before the actual brand owners do. As such, we can't emphasize it strongly enough, please be extra careful when shopping online. Scam sites are sprouting everywhere and are selling anything that anyone can possibly want. If this is the first time you have heard of the website, you are unsure of its reputation, and the offers are very tempting, it would be best not to shop there. There is no certainty that you will get the right product, or even anything at all in return.

F-Secure Users with their browsing protection enabled are protected from these suspect sites.


Post by — Karmina and Christine